The Dam Bursts
In the West Bend case, Klaudia Sekura brought a putative class action against Krishna Schaumburg Tan, a franchisee of a tanning salon, for a technical BIPA violation. The underlying claim involved Ms. Sekura’s assertion that when she registered for membership, Krishna collected her fingerprint for use as a biometric key to allow her access to the facility. Krishna shared the biometric information, the fingerprint, with a third-party vendor without first gaining Sekura’s written consent.
West Bend, Krishna’s insurer, defended Krishna under a reservation of rights and brought a declaratory action seeking to deny coverage. The trial court granted summary judgment in Krishna’s favor, and the Appellate Court of Illinois, First District, affirmed. On appeal, West Bend argued that the BIPA violation did not constitute a personal injury under the policy and also that the policy’s exclusion for violations of statutes governing communications barred coverage.
The court held that the sharing of data constituted a publication and could therefore be considered a personal injury, discussing the definition of the word “publication” in the context of both defamation and privacy claims. The court further reasoned that the policy’s violations-of-statutes exclusion related to the means in which the information was shared, not the BIPA data-sharing violation itself.
West Bend has appealed, but Section leaders believe the decision was correct. “The exclusion in the West Bend policy was very narrow,” notes Elbert. “Newer policy exclusions specifically refer to violations of BIPA, and I expect that to be the standard in the coming year,” she predicts. She also adds that “once carriers pick up a claim, they will add this exclusion for the next policy year.”
Jurisdictional Differences
“Illinois is alone among states with a private cause of action for a technical violation,” observes Grace C. Wen, Boston, MA, member of the Section’s Privacy & Data Security Committee who presented on data privacy and BIPA at the 2020 Section Annual Conference. Other states, such as Arkansas, California, New York, Texas, and Washington, currently regulate the disclosure of biometric information, but the goal is remedial rather than remunerative. For example, in California, the recently enacted California Consumer Privacy Act (CCPA) requires exhaustion of other remedies before bringing litigation. “The CCPA focuses more on gaining consumer consent, confirming the information is correct, and having it deleted if you want,” clarifies Wen.
By contrast, BIPA has teeth. Hefty penalties for technical violations—$1,000 for a negligent violation and $5,000 for a reckless or intentional violation—were probably a driving force behind Facebook’s $550 million settlement of class claims for alleged facial recognition privacy violations. “Facebook didn’t have much of a defense,” opines Wen. “All the class had to do was show a technical violation.”
As a result, companies should be aware of the risk and determine whether they have coverage. “Businesses should take data privacy seriously,” advises Wen. “With more personal information available, it is more likely that a private company is going to be subject to litigation for disclosure of the data.”
And be dogged in seeking coverage, counsels Elbert. “Every litigator should look for insurance coverage when their client is sued for BIPA and CCPA violations. Don’t take no for an answer.”